b"  AUDIT OF THE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S FISCAL YEAR 2001\n     FINANCIAL STATEMENTS\n\x0c              December 11, 2\nDecember 11, 2001\n\nTo: Jo Anne B. Barnhart\n   Commissioner\n\nThis letter transmits the PricewaterhouseCoopers LLP (PwC) report on the audit of the Fiscal Years (FY)\n2001 and 2000 financial statements of the Social Security Administration (SSA) and the results of the Office\nof the Inspector General's (OIG) review thereof. PwC's report includes the firm\xe2\x80\x99s Opinion on the Financial\nStatements, its Report on Management's Assertion About the Effectiveness of Internal Control, and its report\non SSA's Compliance With Laws and Regulations.\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to determine whether the financial statements are free of\nmaterial misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and\ndisclosures in the financial statements. An audit also includes assessing the accounting principles used and\nsignificant estimates made by management, as well as evaluating the overall financial statement\npresentation.\n\nPwC\xe2\x80\x99s examination is required to be made in accordance with generally accepted auditing standards,\nGovernment Auditing Standards issued by the Comptroller General of the United States, and the Office of\nManagement and Budget (OMB) Bulletin No. 01-02. The audit includes obtaining an understanding of the\ninternal control over financial reporting, and testing and evaluating the design and operating effectiveness of\nthe internal control. Due to inherent limitations in any internal control, there is a risk that error or fraud may\noccur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s programs and operations,\nespecially within the Supplemental Security Income (SSI) program. In our opinion, people outside of the\norganization perpetrate the majority of frauds against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with Laws and\nRegulations\n\nThe Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires SSA's Inspector\nGeneral (IG) or an independent external auditor, as determined by the IG, to audit SSA's financial statements\nin accordance with applicable standards. Under a contract monitored by the OIG, PwC, an independent\ncertified public accounting firm, performed the audit of SSA's FY 2001 financial statements. PwC also\naudited the FY 2000 financial statements, presented in SSA's Performance and Accountability Report for FY\n2001 for comparative purposes. PwC issued an unqualified opinion on SSA's FY 2001 and 2000 financial\nstatements. PwC also reported that SSA management\xe2\x80\x99s assertion, that its systems of accounting and internal\ncontrol are in compliance with the internal control objectives in OMB Bulletin No. 01-02, is fairly stated in\nall material respects. However, the audit identified one reportable condition in SSA's internal control. The\ncontrol weakness identified is: SSA Needs to Further Strengthen Controls to Protect Its Information.\n\x0cThis is a repeat finding from prior years. It is the opinion of PwC that, SSA has made notable progress in\naddressing the information protection issues raised in prior years. Despite these accomplishments, SSA\xe2\x80\x99s\nsystems environment remains threatened by security and integrity exposures impacting key elements of its\ndistributed systems and networks. The general areas where exposures occurred included:\n\xe2\x80\xa2   Implementation, enforcement, and ongoing monitoring of technical security configuration\n    standards;\n\xe2\x80\xa2   Implementation, enforcement, and ongoing monitoring of technical standards and rules\n    governing the operation of firewalls on the SSA network;\n\xe2\x80\xa2   Monitoring controls over security violation, periodic review of user access, and firewall logs;\n    and\n\xe2\x80\xa2   Physical access controls at non-headquarters locations.\nThe results of PwC\xe2\x80\x99s tests of compliance disclosed no instances of noncompliance with laws and regulations\nthat are required to be reported under Government Auditing Standards or OMB Bulletin No. 01-02.\n\nOIG Evaluation of PwC Audit Performance\n\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit\nwork performed, we monitored PwC's audit of SSA's FY 2001 financial statements by:\n\xe2\x80\xa2   Reviewing PwC's approach and planning of the audit;\n\xe2\x80\xa2   Evaluating the qualifications and independence of its auditors;\n\xe2\x80\xa2   Monitoring the progress of the audit at key points;\n\xe2\x80\xa2   Examining its workpapers related to planning the audit and assessing SSA's internal control;\n\xe2\x80\xa2   Reviewing PwC's audit report to ensure compliance with Government Auditing Standards and\n    OMB Bulletin No. 01-02;\n\xe2\x80\xa2   Coordinating the issuance of the audit report; and\n\xe2\x80\xa2   Performing other procedures that we deemed necessary.\nBased on the results of our review, we determined that PwC planned, executed and reported the results of its\naudit of SSA's FY 2001 financial statements in accordance with applicable standards. Therefore, it is our\nopinion that PwC's work provides a reasonable basis for the firm's opinion on SSA's FY 2001 and 2000\nfinancial statements and SSA management's assertion on the effectiveness of its internal control. Based on\nour oversight of the audit, we concur with PwC\xe2\x80\x99s finding of a reportable condition related to a weakness in\ninternal control.\n\n\n\n\n                                                            James G. Huse, Jr\n                                                            Inspector General of Social Security\n\x0c                                                                                               PricewaterhouseCoopers LLP\n                                                                                               1616 N. Fort Myer Dr.\n                                                                                               Arlington VA 22209-3195\n                                                                                               Telephone (703) 741 1000\n                                                                                               Facsimile (703) 741 1616\n\n\n\n\n                      REPORT OF INDEPENDENT ACCOUNTANTS\n\n\nTo Ms. Jo Anne B. Barnhart\nCommissioner of Social Security\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n\xc2\xb7   The consolidated balance sheets of SSA as of September 30, 2001 and 2000, and the related\n    consolidated statements of net cost, consolidated statements of changes in net position, combined\n    statements of budgetary resources, consolidated statements of financing, and statements of custodial\n    activity for the fiscal years then ended are presented fairly, in all material respects, in conformity with\n    accounting principles generally accepted in the United States of America;\n\xc2\xb7   Management fairly stated that SSA\xe2\x80\x99s systems of accounting and internal control in place as of\n    September 30, 2001 are in compliance with the internal control objectives in the Office of\n    Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial\n    Statements, requiring that transactions be properly recorded, processed, and summarized to permit the\n    preparation of the consolidated and combined financial statements in accordance with accounting\n    principles generally accepted in the United States of America and that assets be safeguarded against\n    loss from unauthorized acquisition, use or disposal; and\n\xc2\xb7   No reportable instances of noncompliance with the laws and regulations we tested.\n\nThe following sections outline each of these conclusions in more detail.\n\nOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30, 2001 and\n2000, and the related consolidated statements of net cost, consolidated statements of changes in net\nposition, combined statements of budgetary resources, consolidated statements of financing, and statements\nof custodial activity for the fiscal years then ended. These financial statements are the responsibility of\nSSA\xe2\x80\x99s management. Our responsibility is to express an opinion on these financial statements based on our\naudits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States of\nAmerica, the standards applicable to financial audits contained in Government Auditing Standards, issued\nby the Comptroller General of the United States, and OMB Bulletin No. 01-02. Those standards require\nthat we plan and perform the audit to obtain reasonable assurance about whether the financial statements\nare free of material misstatement. An audit includes examining, on a test basis, evidence supporting the\namounts and disclosures in the financial statements. An audit also includes assessing the accounting\nprinciples used and significant estimates made by management, as well as evaluating the overall financial\nstatement presentation. We believe that our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the consolidated and combined financial statements referred to above and appearing on\npages 65 through 85 of this performance and accountability report, present fairly, in all material respects,\nthe financial position of SSA at September 30, 2001 and 2000, and its net cost, changes in net position,\nbudgetary resources, reconciliation of net cost to budgetary resources, and custodial activity for the fiscal\nyears then ended in conformity with accounting principles generally accepted in the United States of\nAmerica.\n\x0cREPORT ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE EFFECTIVENESS\nOF INTERNAL CONTROL\nWe have examined management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in\ncompliance with the internal control objectives in OMB Bulletin No. 01-02, requiring management to\nestablish internal accounting and administrative controls to provide reasonable assurance that transactions\nare properly recorded, processed, and summarized to permit the preparation of the consolidated and\ncombined financial statements in accordance with accounting principles generally accepted in the United\nStates of America and that assets be safeguarded against loss from unauthorized acquisition, use or\ndisposal. SSA\xe2\x80\x99s management is responsible for maintaining effective internal control over financial\nreporting. Our responsibility is to express an opinion on management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the American\nInstitute of Certified Public Accountants (AICPA), the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and OMB\nBulletin No. 01-02 and, accordingly, included obtaining an understanding of the internal control over\nfinancial reporting, testing and evaluating the design and operating effectiveness of internal control, and\nperforming such other procedures as we considered necessary in the circumstances. We believe that our\nexamination provides a reasonable basis for our opinion. Our examination was of the internal control in\nplace as of September 30, 2001.\n\nBecause of inherent limitations in any internal control, misstatements due to error or fraud may occur and\nnot be detected. Also, projections of any evaluation of internal control over financial reporting to future\nperiods are subject to the risk that the internal control may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in\ncompliance with the internal control objectives in OMB Bulletin No. 01-02, requiring that transactions be\nproperly recorded, processed, and summarized to permit the preparation of the consolidated and combined\nfinancial statements in accordance with accounting principles generally accepted in the United States of\nAmerica and that assets be safeguarded against loss from unauthorized acquisition, use or disposal, is fairly\nstated, in all material respects, as of September 30, 2001.\n\nHowever, we noted certain matters involving the internal control and its operation that we consider to be a\nreportable condition under standards established by the AICPA and by OMB Bulletin No. 01-02. A\nreportable condition is a matter coming to our attention relating to significant deficiencies in the design or\noperation of internal control that, in our judgment, could adversely affect the agency\xe2\x80\x99s ability to meet the\ninternal control objectives described above. The reportable condition we noted is that SSA needs to further\nstrengthen controls to protect its information.\n\nA material weakness, as defined by the AICPA and OMB Bulletin No. 01-02, is a reportable condition in\nwhich the design or operation of one or more of the internal control components does not reduce to a\nrelatively low level the risk that misstatements in amounts that would be material in relation to the principal\nfinancial statements being audited or to a performance measure or aggregation of related performance\nmeasures may occur and not be detected within a timely period by employees in the normal course of\nperforming their assigned duties. We believe that the reportable condition that follows is not a material\nweakness as defined by the AICPA and OMB Bulletin No. 01-02.\n\x0cSSA Needs to Further Strengthen Controls to Protect Its Information\nSSA has continued to make progress in addressing the information protection issues raised in prior years.\nSpecifically, in FY 2001 the agency has:\n\n\xc2\xb7   Conducted a risk assessment to identify critical assets and vulnerabilities as part of the Critical\n    Infrastructure Protection project;\n\xc2\xb7   Issued a final security policy for the State Disability Determination Service (DDS) sites in accordance\n    with the information security requirements included in the National Institute of Standards and\n    Technology (NIST) Special Publication 800-18;\n\xc2\xb7   Established and published technical security configuration standards for NT, Unix, AS 400, and\n    firewall servers;\n\xc2\xb7   Completed updates for accreditation and certification of key systems; and\n\xc2\xb7   Further strengthened physical access controls over the National Computer Center (NCC).\n\nAlthough SSA has made improvements to its entity-wide security program and standards, we identified\nweaknesses in controls that expose key elements of SSA\xe2\x80\x99s distributed systems and networks to\nunauthorized access to sensitive data. The general areas where exposures occurred included:\n\n\xc2\xb7   Implementation, enforcement, and ongoing monitoring of technical security configuration standards\n    throughout the SSA environment, including systems housed in the NCC and off-site housed systems;\n\xc2\xb7   Implementation, enforcement, and ongoing monitoring of technical standards and rules governing the\n    operation of firewalls on the SSA network;\n\xc2\xb7   Monitoring controls over security violations, periodic reviews of user access, and firewall logs; and\n\xc2\xb7   Physical access controls at non-headquarters locations, including SSA\xe2\x80\x99s Regional Offices, Program\n    Service Centers, and selected State DDS facilities.\n\nThese exposures exist primarily because SSA is in the process of implementing its enterprise-wide security\nprogram. The following diagram represents a framework for a fully integrated and functional enterprise-\nwide security program. This information security framework diagram incorporates the key system security\nprovisions of OMB Circular A-130, Appendix III, and associated NIST guidelines.\n\x0cIn fo rm atio n S ecu rity F ram ew o rk\n\n                                           S en io r M an ag em en t C om m itm en t\n\n                                                                   B u sin ess In itiativ es\n                                                                                                             T h reats\n                                                                       an d P ro cesses\n\n\n                                     T ech n o lo g y S trateg y                               V u ln erab ility an d\n\n\n\n\n                                                                                                                         Training and Awareness Program\n                                           an d U sag e                                        R isk A ssessm en t\n    Security Vision and Strategy\n\n\n\n\n                                                                           P o licy\n\n\n                                                                     S e cu rity M o de l\n\n\n                                                     S ecu rity A rch itec tu re an d T ech n ical\n                                                                    S tan d ard s\n\n                                                  A d m in istrativ e an d E n d -U ser G u id elin es\n                                                                  an d P ro ced u res\n\n                                        E n fo rcem en t                M o n ito rin g              R eco v ery\n                                          P ro cesses                   P ro cesses                  P ro cesses\n\n\n\n                                   In fo rm atio n S ecu rity M anag em en t S tru ctu re\n\n\nDuring fiscal year 2001, SSA has made progress in certain elements of this information security\nframework; however, the weaknesses we identified show that elements of the framework related to the\nimplementation, enforcement, and monitoring of security policies and technical security standards need to\nbe addressed. Disclosure of detailed information about these weaknesses might further compromise\ncontrols. Rather than provide such details in this report, we present them in a separate, limited-distribution\nmanagement letter, and we present in this report the following examples, which provide an overview of the\ntypes of weaknesses we identified.\n\n\xc2\xb7                       Technical Standards Implementation and Ongoing Enforcement - Security configurations for four\n                        technical environments were inconsistent with SSA guidelines for system configurations. These\n                        inconsistencies represent weaknesses in controls over these systems, which could be exploited to\n                        improperly access sensitive SSA systems and data. Further, no process has been established to monitor\n                        configurations to determine that they remain consistent with the technical configuration standards once\n                        implemented. Finally, a configuration standard has not been established to consistently address\n                        security for one of the SSA platforms.\n\xc2\xb7                       Monitoring Processes - Monitoring of systems security within SSA\xe2\x80\x99s network and distributed systems\n                        environment has been inconsistent. Although SSA\xe2\x80\x99s program for monitoring controls over internal\n                        modems for dial-in access has been effective, its use of violation reports to monitor the effectiveness of\n                        the mainframe security requires enhancement. Mainframe system security monitoring at headquarters\n                        and non-headquarters facilities, such as SSA\xe2\x80\x99s Regional Offices and Program Service Center sites and\n                        State DDS facilities, was weak. Also, the monitoring of employees\xe2\x80\x99 access to systems has not been\n\x0c    periodically performed. Finally, the review of firewall logs is not consistently performed for the SSA\n    firewalls.\n\xc2\xb7   Physical Security Enforcement Processes - Enforcement of security policies and procedures for\n    physical access to information resources at non-headquarters locations, including SSA\xe2\x80\x99s Regional\n    Offices, Program Service Centers and selected State DDS facilities was not sufficient. We noted\n    weaknesses in physical security at these sites that could allow unauthorized employees or visitors to\n    access sensitive SSA information.\n\nUntil a complete security framework is implemented and maintained, SSA\xe2\x80\x99s ability to mitigate effectively\nthe risk of unauthorized access to, and/or modification or disclosure of, sensitive SSA information will be\nimpaired. Unauthorized access to sensitive data can result in the loss of data, loss of Trust Fund assets,\nand/or compromised privacy of information associated with SSA\xe2\x80\x99s enumeration, earnings, benefit payment\nprocesses and programs. The need for a strong security framework to address threats to the security and\nintegrity of SSA operations will grow as the agency continues to implement Internet and Web-based\napplications to serve the American public.\n\nRecommendations\n\nWe recommend that SSA continue its efforts to fully implement the information security framework by:\n\n\xc2\xb7   Assigning specific resources to complete the full information security framework, with priority given\n    to implementation, enforcement, and monitoring of technical security standards;\n\xc2\xb7   Fully implementing technical security configuration standards;\n\xc2\xb7   Establishing a process to determine that configuration standards remain consistently enforced;\n\xc2\xb7   Establishing and enforcing effective procedures for monitoring security violations, periodic review of\n    access assignments and firewall log reviews; and,\n\xc2\xb7   Consistently enforcing policies and procedures for physical access to information resources based on\n    the concept of access required to perform assigned job responsibilities.\n\n\nREPORT ON COMPLIANCE WITH LAWS AND REGULATIONS\nWe conducted our audit in accordance with auditing standards generally accepted in the United States of\nAmerica, the standards applicable to financial audits contained in Government Auditing Standards issued\nby the Comptroller General of the United States, and OMB Bulletin No. 01-02.\n\nThe management of SSA is responsible for complying with laws and regulations applicable to the agency.\nAs part of obtaining reasonable assurance about whether the agency\xe2\x80\x99s financial statements are free of\nmaterial misstatement, we performed tests of SSA\xe2\x80\x99s compliance with certain provisions of applicable laws\nand regulations, noncompliance with which could have a direct and material effect on the determination of\nfinancial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02,\nincluding the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of\n1996. We limited our tests of compliance to these provisions and we did not test compliance with all laws\nand regulations applicable to SSA.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with laws and regulations\nthat are required to be reported under Government Auditing Standards or OMB Bulletin No. 01-02.\n\nThe objective of our audit of the financial statements was not to provide an opinion on overall compliance\nwith such provisions of laws and regulations and, accordingly, we do not express such an opinion.\n\x0cINTERNAL CONTROL RELATED TO KEY PERFORMANCE MEASURES\nWith respect to internal control related to those performance measures determined by management to be\nkey and included on pages 36 to 51 of this performance and accountability report, we obtained an\nunderstanding of the design of significant internal control relating to the existence and completeness\nassertions, as required by OMB Bulletin No. 01-02. Our procedures were not designed to provide assurance\non the internal control over reported performance measures, and accordingly, we do not express an opinion\non such control.\n\nCONSISTENCY OF OTHER INFORMATION\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The other accompanying information included on pages 1 to 6, and\n111 to the end of this performance and accountability report, is presented for purposes of additional\nanalysis and is not a required part of the consolidated and combined financial statements. Such information\nhas not been subjected to the auditing procedures applied in the audit of the consolidated and combined\nfinancial statements and, accordingly, we express no opinion on it.\n\nThe required supplementary information included on pages 7 to 62, and 90 of this performance and\naccountability report and the required supplementary stewardship information included on pages 91 to 110\nof this performance and accountability report, is not a required part of the consolidated and combined\nfinancial statements but is supplementary information required by OMB Bulletin No. 01-09 and the Federal\nAccounting Standards Advisory Board. We have applied certain limited procedures, which consisted\nprincipally of inquiries of management regarding the methods of measurement and presentation of the\nsupplementary information. However, we did not audit the information and express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The consolidating and combining information included on pages 86 to\n88 of this performance and accountability report, is presented for purposes of additional analysis of the\nconsolidated and combined financial statements rather than to present the financial position, changes in net\nposition, and reconciliation of net cost to budgetary resources of the SSA programs. The consolidating and\ncombining information has been subjected to the auditing procedures applied in the audit of the\nconsolidated and combined financial statements and, in our opinion, is fairly stated in all material respects\nin relation to the consolidated and combined financial statements taken as a whole.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The required supplementary information, Schedule of Budgetary\nResources, included on page 89 of this performance and accountability report, is not a required part of the\nconsolidated and combined financial statements but is supplementary information required by OMB\nBulletin No. 01-09. This information is also presented for purposes of additional analysis of the\nconsolidated and combined financial statements rather than to present the budgetary resources of the SSA\nprograms. This information has been subjected to the auditing procedures applied in the audit of the\nconsolidated and combined financial statements and, in our opinion, is fairly stated in all material respects\nin relation to the consolidated and combined financial statements taken as a whole.\n\n\n                                                  *****\n\n\nWe noted other matters involving the internal control and its operation that we will communicate in a\nseparate letter.\n\x0cThis report is intended solely for the information and use of the management and Inspector General of\nSSA, OMB, and Congress and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nArlington, Virginia\nNovember 30, 2001\n\x0c"